Multiple security researchers and research teams have published over the weekend lists ranging from 100 to 280 organizations that installed a trojanized version of the SolarWinds Orion platform and had their internal systems infected with the Sunburst malware.
The list includes the names of tech companies, local governments, universities, hospitals, banks, and telecom providers.
The biggest names on this list include the likes of Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense.
MediaTek, one of the world’s largest semiconductor companies, is also believed to have been impacted, although security researchers aren’t 100% sure of its inclusion on their lists just yet.
Cracking the Sunburst subdomain mysteries
Security researchers compiled these lists by reverse-engineering the Sunburst (aka Solorigate) malware.
For ZDNet readers learning of the Sunburst malware for the first time, this malware was injected inside updates for the SolarWinds Orion app released between March and June 2020.
The boobytrapped updates planted the Sunburst malware deep inside the internal networks of many companies and government organizations that relied on the Orion app to monitor and keep inventories of internal IT systems.
According to deep-dive reports published last week by Microsoft, FireEye, McAfee, Symantec, Kaspersky, and US Cybersecurity and Infrastructure Security Agency (CISA), on infected systems, the malware would gather information about the victim company’s network, wait 12 to 14 days, and then send the data to a remote command and control server (C&C).
The hackers — believed to be a Russian state-sponsored group — would then analyze the data they received and escalate attacks only on networks that were of interest to their intelligence-gathering goals.
Last week, SolarWinds admitted to the hack and said that based on internal telemetry, almost 18,000 of its 300,000 customers downloaded versions of the Orion platform that contained the Sunburst malware.
Initially, it was thought that only SolarWinds could identify and notify all the impacted organizations. However, as security researchers kept analyzing Sunburst’s inner workings, they also discovered some quirks in the malware’s operations, namely in how it pinged its C&C server.
According to research published last week, Sunburst would send the data it collected from an infected network to a C&C server URL that was unique per victim.
This unique URL was a subdomain for avsvmcloud[.]com and contained four parts, where the first part was a random-looking string. However, security researchers said that this string wasn’t actually unique but contained the encoded name of the victim’s local network domain.
Since last week, several security firms and independent researchers have been sifting through historical web traffic and passive DNS data to collect information on traffic going to the avsvmcloud[.]com domain, crack the subdomains and then track down companies that installed a trojanized SolarWinds Orion app — and had the Sunburst malware beaconing from inside their networks back to the attackers’ server (now sinkholed thanks to Microsoft and FireEye).
A growing list of first-stage and second-stage victims
Cybersecurity firms TrueSec and Prevasio, security researcher Dewan Chowdhury, and Chinese security firm QiAnXin are among the several who have now published lists of Sunburst-infected organizations or tools to decode the avsvmcloud[.]com subdomains.
Companies like Cisco and Intel have formally confirmed they got infected in interviews with reporters over the weekend. Both companies have said they found no evidence that the hackers escalated access to deliver second-stage payloads on their systems.
VMWare and Microsoft, whose names were not on these public lists, also confirmed they installed trojanized Orion updates on their internal networks but also specified that they also did not find any evidence of escalation from the attackers.
However, the hackers did escalate their attacks on the networks of some of their targets. In an interview on Friday, FireEye CEO Kevin Mandia, whose company discovered the SolarWinds hack when investigating a breach of its internal systems, said that hackers, despite infecting almost 18,000 networks, only escalated access to around 50 targets, based on FireEye’s visibility.
In a separate report published on Friday, Microsoft also said it identified 40 of its customers that had installed infected Orion apps and where attackers escalated access.
“Escalation” usually happens when the avsvmcloud[.]com C&C server replied to an infected company with a specific DNS response containing a special CNAME field.
This special DNS CNAME field contained the location of a second C&C server from where the Sunburst malware would get additional commands and sometimes download other malware.
Currently, the only publicly known company where hackers escalated access is FireEye, whose breach response helped uncover the entire SolarWinds hack.
Making the difference between the two (a simple Sunburst infection and escalation) is crucial for incident responders. In the first case, they might only need to remove the Sunburst malware, while in the second, they might need to review logs to identify what internal systems hackers escalated access to and what data was stolen from their networks.
Several security researchers have told ZDNet today that a large part of the cybersecurity community is now working with content delivery networks, internet service providers, and other internet companies to collect passive DNS data and hunt down traffic to and from the avsvmcloud[.]com domain in order to identify other victims where attackers escalated access.
Below is a table compiled by security firm Truesec with the decoded internal domain names of some of the SolarWinds victims.
Decoded Internal Name | Possible Organization (may be inaccurate)* |
Response Address Family | Command | First Seen |
---|---|---|---|---|
mnh.rg-law.ac.il | College of Law and Business, Israel |
NetBios | HTTP Backdoor | 2020-05-26 |
ad001.mtk.lo | Mediatek | NetBios | HTTP Backdoor | 2020-08-26 |
Aeria | NetBios | HTTP Backdoor | 2020-06-26 | |
Ameri | NetBios | HTTP Backdoor | 2020-08-02 | |
ank.com | Ankcom Communications | NetBios | HTTP Backdoor | 2020-06-06 |
azlcyy | NetBios | HTTP Backdoor | 2020-08-07 | |
banccentral.com | BancCentral Financial Services Corp. |
NetBios | HTTP Backdoor | 2020-07-03 |
barrie.ca | City of Barrie | NetBios | HTTP Backdoor | 2020-05-13 |
BCC.l | NetBios | HTTP Backdoor | 2020-08-22 | |
bhq.lan | NetBios | HTTP Backdoor | 2020-08-18 | |
cds.capilanou. | Capilano University | NetBios | HTTP Backdoor | 2020-08-27 |
Centr | NetBios | HTTP Backdoor | 2020-06-24 | |
chc.dom | NetBios | HTTP Backdoor | 2020-08-04 | |
christieclinic. | Christie Clinic Telehealth | NetBios | HTTP Backdoor | 2020-04-22 |
CIMBM | NetBios | HTTP Backdoor | 2020-09-25 | |
CIRCU | NetBios | HTTP Backdoor | 2020-05-30 | |
CONSO | NetBios | HTTP Backdoor | 2020-06-17 | |
corp.ptci.com | Pioneer Telephone Scholarship Recipients |
NetBios | HTTP Backdoor | 2020-06-19 |
corp.stingraydi | Stingray (Media and entertainment) |
NetBios | HTTP Backdoor | 2020-06-10 |
corp.stratusnet | Stratus Networks | NetBios | HTTP Backdoor | 2020-04-28 |
cosgroves.local | Cosgroves (Building services consulting) |
NetBios | HTTP Backdoor | 2020-08-25 |
COTES | Cotes (Humidity Management) | NetBios | HTTP Backdoor | 2020-07-25 |
csnt.princegeor | City of Prince George | NetBios | HTTP Backdoor | 2020-09-18 |
cys.local | CYS Group (Marketing analytics) | NetBios | HTTP Backdoor | 2020-07-10 |
digitalsense.co | Digital Sense (Cloud Services) | NetBios | HTTP Backdoor | 2020-06-24 |
ehtuh- | NetBios | HTTP Backdoor | 2020-05-01 | |
escap.org | NetBios | HTTP Backdoor | 2020-07-10 | |
f.gnam | NetBios | HTTP Backdoor | 2020-04-04 | |
fhc.local | NetBios | HTTP Backdoor | 2020-07-06 | |
fidelitycomm.lo | Fidelity Communications (ISP) | NetBios | HTTP Backdoor | 2020-06-02 |
fisherbartoninc.com | The Fisher Barton Group (Blade Manufacturer) |
NetBios | HTTP Backdoor | 2020-05-15 |
fmtn.ad | City of Farmington | NetBios | HTTP Backdoor | 2020-07-21 |
FWO.I | NetBios | HTTP Backdoor | 2020-08-05 | |
ggsg-us.cisco | Cisco GGSG | NetBios | HTTP Backdoor | 2020-06-24 |
ghsmain1.ggh.g | NetBios | HTTP Backdoor | 2020-06-09 | |
gxw | NetBios | HTTP Backdoor | 2020-07-07 | |
htwanmgmt.local | NetBios | HTTP Backdoor | 2020-07-22 | |
ieb.go.id | NetBios | HTTP Backdoor | 2020-06-12 | |
int.ncahs.net | NetBios | HTTP Backdoor | 2020-09-23 | |
internal.jtl.c | NetBios | HTTP Backdoor | 2020-05-19 | |
ironform.com | Ironform (metal fabrication) | NetBios | HTTP Backdoor | 2020-06-19 |
isi | NetBios | HTTP Backdoor | 2020-07-06 | |
itps.uk.net | Infection Prevention Society (IPS) | NetBios | HTTP Backdoor | 2020-08-11 |
jxxyx. | NetBios | HTTP Backdoor | 2020-06-26 | |
kcpl.com | Kansas City Power and Light Company |
NetBios | HTTP Backdoor | 2020-07-07 |
keyano.local | Keyano College | NetBios | HTTP Backdoor | 2020-06-03 |
khi0kl | NetBios | HTTP Backdoor | 2020-08-26 | |
lhc_2f | NetBios | HTTP Backdoor | 2020-04-18 | |
lufkintexas.net | Lufkin (City in Texas) | NetBios | HTTP Backdoor | 2020-07-07 |
magnoliaisd.loc | Magnolia Independent School District |
NetBios | HTTP Backdoor | 2020-06-01 |
MOC.l | NetBios | HTTP Backdoor | 2020-04-30 | |
moncton.loc | City of Moncton | NetBios | HTTP Backdoor | 2020-08-25 |
mountsinai.hosp | Mount Sinai Hospital | NetBios | HTTP Backdoor | 2020-07-02 |
netdecisions.lo | Netdecisions (IT services) | NetBios | HTTP Backdoor | 2020-10-04 |
newdirections.k | NetBios | HTTP Backdoor | 2020-04-21 | |
nswhealth.net | NSW Health | NetBios | HTTP Backdoor | 2020-06-12 |
nzi_9p | NetBios | HTTP Backdoor | 2020-08-04 | |
city.kingston.on.ca | City of Kingston, Ontario, Canada |
NetBios | HTTP Backdoor | 2020-06-15 |
dufferincounty.on.ca | Dufferin County, Ontario, Canada |
NetBios | HTTP Backdoor | 2020-07-17 |
osb.local | NetBios | HTTP Backdoor | 2020-04-28 | |
oslerhc.org | William Osler Health System | NetBios | HTTP Backdoor | 2020-07-11 |
pageaz.gov | City of Page | NetBios | HTTP Backdoor | 2020-04-19 |
pcsco.com | Professional Computer Systems | NetBios | HTTP Backdoor | 2020-07-23 |
pkgix_ | NetBios | HTTP Backdoor | 2020-07-15 | |
pqcorp.com | PQ Corporation | NetBios | HTTP Backdoor | 2020-07-02 |
prod.hamilton. | Hamilton Company | NetBios | HTTP Backdoor | 2020-08-19 |
resprod.com | Res Group (Renewable energy company) |
NetBios | HTTP Backdoor | 2020-05-06 |
RPM.l | NetBios | HTTP Backdoor | 2020-05-28 | |
sdch.local | South Davis Community Hospital |
NetBios | HTTP Backdoor | 2020-05-18 |
servitia.intern | NetBios | HTTP Backdoor | 2020-06-16 | |
sfsi.stearnsban | Stearns Bank | NetBios | HTTP Backdoor | 2020-08-02 |
signaturebank.l | Signature Bank | NetBios | HTTP Backdoor | 2020-06-25 |
sm-group.local | SM Group (Distribution) | NetBios | HTTP Backdoor | 2020-07-07 |
te.nz | TE Connectivity (Sensor manufacturer) |
NetBios | HTTP Backdoor | 2020-05-13 |
thx8xb | NetBios | HTTP Backdoor | 2020-06-16 | |
tx.org | NetBios | HTTP Backdoor | 2020-07-15 | |
usd373.org | Newton Public Schools | NetBios | HTTP Backdoor | 2020-08-01 |
uzq | NetBios | HTTP Backdoor | 2020-10-02 | |
ville.terrebonn | Ville de Terrebonne | NetBios | HTTP Backdoor | 2020-08-02 |
wrbaustralia.ad | W. R. Berkley Insurance Australia | NetBios | HTTP Backdoor | 2020-07-11 |
ykz | NetBios | HTTP Backdoor | 2020-07-11 | |
2iqzth | ImpLink | Enum processes | 2020-06-17 | |
3if.2l | 3IF (Industrial Internet) | ImpLink | Enum processes | 2020-08-20 |
airquality.org | Sacramento Metropolitan Air Quality Management District |
ImpLink | Enum processes | 2020-08-09 |
ansc.gob.pe | GOB (Digital Platform of the Peruvian State) |
ImpLink | Enum processes | 2020-07-25 |
bcofsa.com.ar | Banco de Formosa | ImpLink | Enum processes | 2020-07-13 |
bi.corp | ImpLink | Enum processes | 2020-12-14 | |
bop.com.pk | The Bank of Punjab | ImpLink | Enum processes | 2020-09-18 |
camcity.local | ImpLink | Enum processes | 2020-08-07 | |
cow.local | ImpLink | Enum processes | 2020-06-13 | |
deniz.denizbank | DenizBank | ImpLink | Enum processes | 2020-11-14 |
ies.com | IES Communications (Communications technology) |
ImpLink | Enum processes | 2020-06-11 |
insead.org | INSEAD Business School | ImpLink | Enum processes | 2020-11-07 |
KS.LO | ImpLink | Enum processes | 2020-07-10 | |
mixonhill.com | Mixon Hill (intelligent transportation systems) |
ImpLink | Enum processes | 2020-04-29 |
ni.corp.natins | ImpLink | Enum processes | 2020-10-24 | |
phabahamas.org | Public Hospitals Authority, Caribbean |
ImpLink | Enum processes | 2020-11-05 |
rbe.sk.ca | Regina Public Schools | ImpLink | Enum processes | 2020-08-20 |
spsd.sk.ca | Saskatoon Public Schools | ImpLink | Enum processes | 2020-06-12 |
yorkton.cofy | Community Options for Families & Youth |
ImpLink | Enum processes | 2020-05-08 |
.sutmf | Ipx | Update config | 2020-06-25 |
Read more by Catalin Cimpanu
Share Your Thoughts?